Americans can keep using their existing routers no matter where they were made. They can even buy replacements of the same models. The government isn't requiring patches, recalls, or security updates. So what exactly does the United States router ban actually ban? Future routers that don't exist yet.
The Federal Communications Commission's new foreign router ban, which took effect this month under FCC Chairman Brendan Carr, creates a peculiar form of cybersecurity theater. The agency claims that routers made abroad pose "unacceptable risks" to national security, yet the policy leaves every allegedly vulnerable device currently in American homes and offices completely untouched.
The disconnect between the stated threat and the actual response reveals the policy's limitations. "Consumers currently using covered routers in small and home offices do not need to do anything," the FCC writes in its guidance. No patches required, no recalls issued, no restrictions on existing hardware whatsoever.
Even the US government plans to keep using the same equipment it now considers a security risk. The FCC explicitly states that government agencies can continue operating foreign-made routers, despite the alleged national security implications.
If these devices are so dangerous, why isn't anyone required to stop using them?
The FCC's justification document points to serious cyberattacks like Volt Typhoon and Salt Typhoon, claiming that "routers produced abroad were directly implicated" in breaches targeting American infrastructure. But cybersecurity experts note these attacks often succeeded due to basic security failures rather than foreign manufacturing.
"A lot of these monopolies had gotten so lax with their privacy and security standards that they forget to change default admin passwords on a lot of their routers," veteran telecom reporter Karl Bode tells The Verge. The biggest infrastructure hacks exploited well-known vulnerabilities that were patched years earlier but never updated by companies or users.
Consumer Reports' Stacey Higginbotham captures the real router security problem: manufacturers routinely abandon security support without telling customers. "It's like if you could buy milk without an expiration date. Except unlike milk, which smells when it's no longer safe, your router gives no sign."
The practical impact of the ban depends on how companies respond. Router manufacturers face two choices: stop shipping new products to the US market entirely, like Chinese dronemaker DJI has done, or apply for conditional FCC approval for each new device.
- New router models from foreign manufacturers seeking first-time US authorization
- Devices where any major development stage (design or assembly) happened abroad
- Products containing "modular transmitters" from companies deemed security risks
The definition of "foreign" proves especially broad. American brands like Netgear, Google Nest, Amazon Eero, and Ubiquiti all manufacture their routers in Asia, the same way Apple produces most devices overseas. Even Elon Musk's Starlink, which does manufacture some equipment domestically, also produces hardware in Vietnam and has received FCC authorization for both US-made and Vietnamese-made devices.
The ban covers more than just Wi-Fi routers. The FCC defines routers loosely as any devices that "forward data packets between networked systems," potentially including cable modems, pocket hotspots, network switches, and Wi-Fi extenders. Companies self-certify their compliance, leaving enforcement to customs inspections that may or may not happen.
The policy creates an odd timeline for security updates. The FCC issued a waiver allowing existing routers to receive software patches until March 1st, 2027 — but then admits that companies don't typically need FCC approval for routine security updates anyway, making the waiver largely meaningless.
The router ban builds on infrastructure established during the first Trump administration's campaign against Chinese telecom equipment. The Secure and Trusted Communications Act of 2019 created the "covered list" mechanism for identifying security threats, while Biden's Secure Equipment Act of 2021 barred the FCC from authorizing any listed equipment.
What emerges is a policy that treats the symptom rather than the disease. Instead of requiring better security practices, longer support lifecycles, or transparency about update policies, the ban simply redirects the supply chain. American consumers will still buy routers that may never receive security patches — they'll just be assembled somewhere else.
The Department of Defense and NASA continue purchasing equipment from TP-Link, the Chinese company that controls at least a third of the US consumer router market and has been under government investigation. If the security threat were truly urgent, the disconnect between policy and practice suggests either the risk is overstated or the response is inadequate.
For now, the ban functions more as trade policy than cybersecurity measure. It won't make existing networks more secure, won't accelerate the patching of vulnerable devices, and won't address the fundamental problem of manufacturers abandoning security support. It will, however, make it harder for foreign companies to introduce new products to American consumers — which may have been the point all along.